In the review the FCA made it plain that it was interested only in money-laundering, bribery and corruption. It explicitly said that it had no interest in terrorist finance in this instance and did not even mention other financial crimes such as fraud, insider-dealing and market manipulation. 

What is suspicion? 

The review started with an observation, made in passing, that the 'risk' of money-laundering and corruption may increase wherever there is a big-ticket or unexpected transaction. This cuts to the heart of the nature of 'suspicion' – the stage of alertness that every firm should reach before sending off a suspicious transaction report to the National Crime Agency – as it applies to high-net-worth individuals. It is an old trope that the spotting of 'unusual' transactions is not the same thing as the spotting of suspicious transactions because almost all HNW transactions are unusual. The FCA does not tackle this problem with any advice – a position its predecessor the Financial Services Authority always took, no matter how closely it was questioned.

Record-keeping and pay: five out of ten for effort 

Throughout the report the FCA dwelt on the common problem of bad record-keeping in this area. It thought that clear reporting lines and lines of responsibility for controls against these financial crimes were quite good on the whole. It did not, however, think that the effectiveness of these structures was documented for all to see. At one point it berated firms for not having 'customer due diligence' (a stilted phrase from the Basle Group that the European Union picked up and started using instead of 'know your customer' in 2001) records ready for its people to look at. This, too, was a reference to bad record-keeping. At one firm, the FCA complained, a customer had withdrawn £25 million and thereby triggered off a transaction monitoring alert, but no evidence was available in the records of who reviewed it or why it was eventually waved through. Not only might compliance officers draw the lesson from this story that good record-keeping is essential; they might also be inclined to think that it is always wise to spend the most effort (record-keeping and otherwise) on 'customer files' to which the FCA is like to attribute a high profile in drawing up a complaint.

Hidden in among the detail of the review paper was a compliment for firms: “The type and level of sophistication of transaction monitoring systems and controls implemented by firms is typically dependent on the nature, scale and complexity of a firm's business activities.” This was another way of saying that the firms the FCA surveyed were actually successful in observing the doctrine of 'proportionality'.

The FCA looked briefly at the way firms paid and vetted their staff. It was most pleased with those firms that used long-term incentive plans to pay staff extra for their performance as this diffused such rewards over a wider period and was likely to induce a measure of stability. The idea was that one-off bonuses for 'performance' were only too easy to use as excuses for corrupt payments for cutting corners or worse. The regulators also approved of the fact that firms typically vetted staff by checking their credit ratings; by verifying their names and addresses; by looking at their previous employment; by searching for County Court judgments; and by going to the eduction authorities for proof of their qualifications. They also liked the idea of practical training that was aimed squarely at the risks that every firm faced. 

What the FCA wants

In 2006-7 the old FSA developed a disconcerting habit, which some commentators have likened to a slight mental disease, of stating that this-or-that activity was 'good' or 'bad' practice with no reference to actual rules or even guidance. The FCA has continued this tradition here, with a battery of assertions – none of which can legally count in the eyes of the Upper Tribunal, the body that hears firms' appeals against the FCA. For what it is worth, this list of assertions stresses the FCA's desire to see firms spending large amounts of money and senior manpower on the problems of money-laundering and bribery control. 

What is a senior manager? 

On the subject of firms using 'management information' (an ill-defined term that refers to all the information about operations that staff can gather together for certain purposes) to combat crime, the FCA stresses its preference for a clear definition of 'senior management roles'. This phrase is always left vague but the report contains a rare moment of specificity in the context of sign-off for business relationships with 'politically exposed persons' and other highly risky customers, where the FCA reveals that it thinks of the money-laundering reporting officer as 'senior management'. It does, however, imply that additional involvement from the head of risk, the chief operating officer and the CEO would be preferable.

The FCA also likes the idea of committees composed of senior people meeting regularly to pinpoint risks and – a well-known FCA favourite – the inclusion of staff compliance with money-laundering and bribery controls in remuneration and staff incentive structures. It dislikes the absence of 'senior management challenge', but leaves the reader to guess what this means.

Risk-assessments also find favour with the FCA, especially when undertaken regularly. It also, rather daringly, mentions board-level involvement in signing-off processes as part of senior managers' jobs. Examples of poor practice include ad hoc risk assessments, a lack of 'dynamism' and the carrying-out of anti-bribery assessments as one-off exercises. 

On the subject of money-laundering controls the FCA thinks that it is 'good practice' for firms to come up with 'a clearly articulated definition of a PEP' (something that the Financial Action Task Force, the world's AML standard-setter, has continually failed to do for the whole of its history and the FCA along with it). It is also keen to see identification and verification information for customers reviewed periodically and 'refreshed', with a special eye on risks. It does not like out-of-date policies and procedures or failure to conduct 'enhanced due diligence' for PEPs, which admittedly is a legal requirement. 

No cash limits for bribe-prone payments 

On the subject of controlling bribery, the regulator is keen to see the rationale for each firm's use of agents and collaborators being documented because these people are thought to be the source of much corruption in financial services. It wants policies surrounding gifts and entertainment to be clear and available for all staff, but stops maddeningly short of giving the regulated community something it has long been crying out for: solid guidelines with concrete cash amounts being mentioned for every generic case. It could have done this in April at its inception; the fact that it is not doing so here is a sign that it never will. 

A right to audit 

The regulator's dislikes, the 'bad practices' of anti-bribery control, seem rather irrelevant in an environment where its guidance is so vague. Once again, the emphasis is on tying up large amounts of senior management time. It thinks it is bad practice, for example, for senior managers not to monitor gifts and entertainment activity consistently. More realistically, it is concerned that firms are not doing enough to monitor the anti-bribery efforts of their associates and counterparties. The FCA notes in the body of the report that contracts with these people ought to contain a 'right to audit' clause.

'Good practice' for training and awareness, according to the regulator, includes the rolling-out of good training to all staff; of even better training to senior managers; of 'tailored' training with a special eye on the business activities of the firm in question; periodic reviews; and above all good records of who has been trained and how. These are obvious common sense, as are the FCA's statements of 'bad practice'. These include a failure to train and involve senior managers; the absence of extra training for new joiners; and the use of training as a one-off exercise.

The tenor of the report might presage a new round of enforcement activity, but the reader is left with a sense that much has been achieved in the past few years in financial crime compliance. It states that most firms in the survey did have “a comprehensive suite of AML policies and procedures approved by senior management.” A few years ago this would have been highly questionable.